USMetrics
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates a background
curlcommand tohttp://localhost:8888/notifyupon invocation. This is used for local voice notifications and targets the local machine only. - [EXTERNAL_DOWNLOADS]: Data is fetched from well-known and trusted official sources including the Federal Reserve (FRED API), the Energy Information Administration (EIA API), and the U.S. Treasury (FiscalData API). These are documented and expected for the skill's purpose.
- [PROMPT_INJECTION]: The skill includes a feature to load customizations from
~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/USMetrics/. While intended for user preferences, this is an indirect prompt injection surface as it allows external files to override agent instructions. - [SAFE]: The skill uses environment variables for API key management and performs file operations within its own project scope, following security best practices for local agent tools.
Audit Metadata